jonathan/openssh
1
0
Fork 0
forked from rpms/openssh
Code Pull Requests Activity

Adjust seccomp fiter for primary architectures and solve aarch64 issue (#1197051)

Browse Source
This commit is contained in:
Jakub Jelen 2015-02-26 15:52:20 +01:00
parent cbda6f57fb
commit bc083eb557
1 changed files with 23 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
openssh-6.7p1-seccomp-aarch64.patch
View File

@ -1,6 +1,8 @@
diff --git a/configure.ac b/configure.ac
index 4065d0e..d59ad44 100644
--- a/configure.ac --- a/configure.ac
+++ b/configure.ac +++ b/configure.ac
@@ -764,9 +764,12 @@ main() { if (NSVersionOfRunTimeLibrary(" @@ -764,9 +764,12 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
i*86-*) i*86-*)
seccomp_audit_arch=AUDIT_ARCH_I386 seccomp_audit_arch=AUDIT_ARCH_I386
;; ;;
@ -16,22 +18,33 @@
if test "x$seccomp_audit_arch" != "x" ; then if test "x$seccomp_audit_arch" != "x" ; then
AC_MSG_RESULT(["$seccomp_audit_arch"]) AC_MSG_RESULT(["$seccomp_audit_arch"])
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
index 095b04a..59c3682 100644 index 095b04a..52f6810 100644
--- a/sandbox-seccomp-filter.c --- a/sandbox-seccomp-filter.c
+++ b/sandbox-seccomp-filter.c +++ b/sandbox-seccomp-filter.c
@@ -90,8 +90,10 @@ static const struct sock_filter preauth_insns[] = { @@ -90,8 +90,20 @@ static const struct sock_filter preauth_insns[] = {
/* Load the syscall number for checking. */ /* Load the syscall number for checking. */
BPF_STMT(BPF_LD+BPF_W+BPF_ABS, BPF_STMT(BPF_LD+BPF_W+BPF_ABS,
offsetof(struct seccomp_data, nr)), offsetof(struct seccomp_data, nr)),
- SC_DENY(open, EACCES), - SC_DENY(open, EACCES),
+ SC_DENY(openat, EACCES), /* no open() on AArch64 */ - SC_DENY(stat, EACCES),
+#ifdef __NR_stat + SC_DENY(openat, EACCES),
SC_DENY(stat, EACCES), +#ifdef __NR_open
+ SC_DENY(open, EACCES), /* - AArch64 */
+#endif
+#ifdef __NR_fstat
+ SC_DENY(fstat, EACCES), /* + x86_64 */
+#endif
+#if defined(__NR_stat64) && defined(__NR_fstat64)
+ SC_DENY(stat64, EACCES), /* + ix86, arm */
+ SC_DENY(fstat64, EACCES),
+#endif
+#ifdef __NR_newfstatat
+ SC_DENY(newfstatat, EACCES), /* + Aarch64 */
+#endif +#endif
SC_ALLOW(getpid), SC_ALLOW(getpid),
SC_ALLOW(gettimeofday), SC_ALLOW(gettimeofday),
SC_ALLOW(clock_gettime), SC_ALLOW(clock_gettime),
@@ -111,12 +113,16 @@ static const struct sock_filter preauth_insns[] = { @@ -111,12 +123,19 @@ static const struct sock_filter preauth_insns[] = {
SC_ALLOW(shutdown), SC_ALLOW(shutdown),
#endif #endif
SC_ALLOW(brk), SC_ALLOW(brk),
@ -44,6 +57,9 @@ index 095b04a..59c3682 100644
+#ifdef __NR_select /* Not available on AArch64 */ +#ifdef __NR_select /* Not available on AArch64 */
SC_ALLOW(select), SC_ALLOW(select),
#endif #endif
+#ifdef __NR_pselect6 /* + AArch64 */
+ SC_ALLOW(pselect6),
+#endif
+#endif +#endif
SC_ALLOW(madvise), SC_ALLOW(madvise),
#ifdef __NR_mmap2 /* EABI ARM only has mmap2() */ #ifdef __NR_mmap2 /* EABI ARM only has mmap2() */